FBI will not share iPhone vulnerability in San Bernardino case

The FBI has opted not to submit the method used to unlock the Apple iPhone of one of the San Bernardino, Calif., shooters to an interagency review process for disclosing software vulnerabilities.

Bureau officials said they did not know enough about the technical details of the vulnerability exploited by an unidentified third party to submit the flaw for a meaningful review.

The decision casts new light on a review process that government officials say is rigorous and weighted toward disclosure but critics contend is subject to manipulation based on agencies' self-interests.

The Vulnerabilities Equities Process, led by White House Cybersecurity Coordinator Michael Daniel, reviews the zero-day, or previously unknown, software flaws that agencies discover to determine whether it is in U.S. interests to disclose them -- so that companies can issue patches -- or hold onto them for intelligence gathering.

"The FBI purchased the method from an outside party so that we could unlock the San Bernardino device," said Amy Hess, the FBI's executive assistant director for science and technology, in a statement. "We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review under the VEP process."

FBI Director James Comey strongly hinted last week that the bureau paid more than $1 million to a contractor to unlock an iPhone 5c used by Syed Rizwan Farook. In December, Farook and his wife murdered 14 people in San Bernardino and were later killed by police.

As of mid-April, law enforcement officials had found nothing of significance on the phone after unlocking it, CBS News reported.

"Whatever vulnerability the FBI was able to exploit to access the San Bernardino shooter's phone can theoretically be used by criminals, hackers and any organization -- foreign or domestic -- to access other similar iPhones,” Rep. Ted Lieu (D-Calif.) said in a statement to FCW. "We are better off when encryption is stronger. That is why I believe the FBI should share the vulnerability with Apple so that it can be patched before any serious damage is done," he said.

Jason Healey, who was director for cyber infrastructure protection at the White House from 2003 to 2005, did not mince words when FCW asked for a reaction to the FBI's decision.

"It certainly seems possible, if not, likely, [that the] FBI arranged for this contract wording specifically to bypass" the disclosure process, said Healey, who is now a senior research scholar at Columbia University. "As such, they probably have tied the hands of the White House, specifically to subvert [President Barack Obama's] intent."

Obama has preferred that the administration generally disclose the software vulnerabilities it discovers, with a broad exception for those with a "clear national security or law enforcement need," the New York Times reported in April 2014.

Historically, the National Security Agency has revealed more than 91 percent of the vulnerabilities it has discovered, the agency said in a statement last year.

"It's a thoughtful discussion, trying to understand offensive capability but also understand the risk to the government in not disclosing that vulnerability," said Curt Dukes, head of NSA's Information Assurance Directorate, in a January interview with FCW.

NSA's Information Assurance and Signals Intelligence directorates try to agree on which vulnerabilities to disclose, but if they can't, NSA Director Adm. Michael Rogers makes the final decision, Dukes added.

The Apple/FBI standoff is the most high-profile case yet involving VEP, and security experts and privacy advocates are watching closely.

The FBI's decision not to submit the iPhone vulnerability to VEP "calls into serious question the White House's claim [that the process is] heavily weighted toward disclosure," said Kevin Bankston, director of New America's Open Technology Institute.

Hess said the FBI does not usually comment on whether a vulnerability is submitted to the interagency review process. However, bureau officials decided to break with convention due to "the extraordinary nature of this particular case" and the fact that the FBI had revealed publicly that it had exploited the vulnerability, she added.